Certificate Renewal Fails with Error “Unable to Get Local Issuer Certificate”
search cancel

Certificate Renewal Fails with Error “Unable to Get Local Issuer Certificate”

book

Article ID: 430169

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • After upgrading to version 30.2.6, Let’s Encrypt certificate renewals may fail with the error “certificate verify failed: Unable to get local issuer certificate.”
  • This error can be seen in the AVI UI under Template → Security → SSL/TLS Certificates during both manual renewal and automatic updates.

  • Although the required Let’s Encrypt root/intermediate certificates are present in the directory /usr/lib/ssl/certs, OpenSSL fails to validate the certificate chain.

Environment

  • VMware Avi Load Balancer 30.2.6

Cause

  • This happens because the hashed Certificate Authority (CA) entries required for proper CA path lookup are missing. Without these hashed links, OpenSSL cannot build a valid trust chain, resulting in verification failure.

Resolution

Workaround:

  • Manually regenerate the hashed CA entries by running the c_rehash command on all controller nodes:
  • SSH into each controller node and access root privileges and run the following command
sudo -i
<enter the admin credentials>
c_rehash /usr/lib/ssl/certs
  • This recreates the necessary hash links and restores proper certificate validation.

Permanent Fix:

  • This issue has been resolved in version 30.2.7, where the required CA hash handling is properly integrated.

 

Powered by Wolken Software